Science and technology

Internet security

Once more unto the breach

VERISIGN is the Rolls-Royce of internet-security, a byword for integrity and assurance. Alongside its corporate domain-registry business, the internet-services firm offers protection against distributed denial of service (DDoS) attacks, in which zombie PC armies conscripted by malware clog up websites of corporations and other institutions. It provides so-called active-vulnerability monitoring, flagging up any threats to a business's online presence. And it maintains the supposedly impregnable infrastructure to convert domain names ending in .com, .net and others into numbers that servers and computers can understand. Companies trust VeriSign to ensure that no one is messing with their internet plumbing.

This trust will be called into question after the discovery by Reuters of a previously unreported security breach from 2010. The information-services firm was poring over 2,000 securities filings made since a ruling in September 2011 by the Securities and Exchange Commission, America's stock-market regulator, went into effect requiring the disclosure of data breaches. During that investigation, its data sleuths stumbled on this astonishing admission in VeriSign's quarterly report from October 28th 2011:

In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ("DNS") network....Management was informed of the incident in September 2011 and, following the review, the Company's management concluded that our disclosure controls and procedures are effective.

This is staggering on several counts. For a start, neither VeriSign's customers nor, it seems, its senior management were initially informed about the incident. Were it not for Reuters, the breach might well have been lost among the filings' fine print. Next, VeriSign has been worryingly vague about whether its DNS servers were subverted: it does "not believe" they were, but cannot say for sure. A follow-up statement from the firm on February 3rd was similarly mealy-mouthed.

As Babbage has written previously, the digital certificates websites use for secure communications (SSL/TLS certificates in the jargon) are only any use if the process of turning a domain name (like economist.com) into an numeric address (like 64.14.173.20) is itself uncorrupted. DNS can, however, be "poisoned" so as to translate the domain name into the numeric address for a malicious site. If the mischief-maker has also pilfered valid certificates from the certificate authorities that issue them (as happened several times in the past year), then users can be fooled into thinking they have entered, say, a secure online-payment site and into parting with their credit-card details. (Since people often choose to ignore browser warnings about unverified online credentials, poisoned DNS is often enough to perpetrate a fraud of this sort; there is no need for bogus digital certificates.)

In 2010 VeriSign spun off a security-services business which, among other things, managed digital certificates used within companies and by customers, to Symantec, another industry giant. The transaction took place between April and August 2010, putting a question mark over Symantec's role in the imbroglio. That firm continues to use VeriSign's original domain name (verisign.com) and brand for the business segment it acquired. (VeriSign, too, continues to employ its brand, at verisigninc.com, for domain-name registration and intrusion monitoring.)

VeriSign boasts of over 110m registered domains. The subversion of just one of these could affect millions of consumers, government agencies and corporate web users in a single day. This ought to have prompted the company to alert its partners immediately, to limit any potential damage. Burying the breach under the mountain of impenetrable prose in a securities filing will be a blot on VeriSign's otherwise spotless record for years to come.

Readers' comments

Seems a little unfair to trash these guys considering they'd reported this in their annual report! Lets safely assume that there will always be crooks out there looking to breach security - just as there are muggers and bank robbers - and they will succeed from time to time.

I work for Symantec and just wanted to clarify that the Trust Services (SSL, User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were NOT compromised by the corporate network security breach mentioned in the Verisign, Inc. quarterly filing.

That's very smart, the diversification of valuable information so that when you are attacked then the attackers only take out one node and have to reorganize and use resources to take on a new target node, it gives verisign enough time to study the attack and adjust for it. It makes me wonder with all the security issues surrounding the cloud-computing movement that they don't create a verisign-esque type of service that can act as a shield against the attackers by providing some sort of dynamic certificate service. I know it would make me feel a lot better if any of the online storage services offered a verisign type of guaranty that could have files only be allowed to be accessed by computers with the verisign fingerprint, and if you are trying to access it remotely you can call in to an automated system to get a new code based on a pin number or something like that... I'm a dreamer!

Aren't networked computer systems too complex to be secure? How many million lines of software code lie between you and just about anything you do? What do you use to detect problems in this lot? Yes, more million lines of software code. In the physical world evidence is left behind that ineluctably follows the laws of physics and chemistry. In the software world anything goes.

I suspect that computer security (or, more accurately, lack thereof) is going to be an increasingly big topic in the coming years. There is just way too much of the whistling past the graveyard on the part of the industry, combined with optimistic ignorance on the part of users.

Several of us (all in the computer business for decades) were chatting last week. We all expressed amazement at the number of people who were doing their taxes (necessarily including giving name, address, and social security number) on-line, and then storing the results "in the cloud." None of us could imagine putting out own information at risk that way. It just seemed like an invitation to disaster.

The question is, how big and painful a breach will it take before people in general realize that they are throwing themselves open to the world? My suspicion is, unless they or their immediate families have been hit, there won't be a lot of recognition until there are tens or hundreds of thousands bankrupted in a very short span of time. And, whether it happens in two years or twenty, it is going to happen.